Configuring Identity Assertion

The Knox Gateway identity-assertion provider determines which principal to propagate
to the backend cluster service and represent the authenticated user. This allows the Knox
Gateway to accept requests from external users and for the internal user to potentially be a
product of a mapping, some transformation or other change to disambiguate the user identity
within the cluster.

There are multiple options for Identity Assertion Provider, configured in Ambari under
Knox>Configs>Advanced topology.

Table 1. Identity Assertion Providers

Provider

<name>

Use

Example

Default IAP

Pseudo (deprecated)

<name>Default</name>

<name>Pseudo</name> (deprecated)

The default identity assertion provider enables simple mapping of
principal usernames and groups and is responsible for the
establishing the identity that gets propagated to the cluster
service as the effective user.

The Concat identity assertion provider allows for composition of a
new user principal through the concatenation of optionally
configured prefix and/or suffix provider parameters. This is a
useful assertion provider for converting an incoming identity into a
disambiguated identity within the cluster based on what topology is
used to access.

The SwitchCase identity assertion provider solves issues where down
stream ecosystem components require user and group principal names
to be a specific case. An example of how this provider is enabled
and configured within the <gateway> section of a topology file
is shown below.

The regular expression identity assertion provider allows incoming
identities to be translated using a regular expression, template and
lookup table. This will probably be most useful in conjunction with
the HeaderPreAuth federation provider.

Define a Default Identity Assertion ProviderThe default identity assertion provider enables simple mapping of principal usernames and groups and is responsible for the establishing the identity that gets propagated to the cluster service as the effective user.

Concat Identity Assertion ProviderThe Concat identity assertion provider allows for composition of a new user principal through the concatenation of optionally configured prefix and/or suffix provider parameters. This is a useful assertion provider for converting an incoming identity into a disambiguated identity within the cluster based on what topology is used to access.

Regular Expression Identity Assertion ProviderThe regular expression identity assertion provider allows incoming identities to be translated using a regular expression, template and lookup table. This will probably be most useful in conjunction with the HeaderPreAuth federation provider.